How to secure Tomcat against CVE-2020-1938

Solution Verified - Updated -


  • Tomcat (9.0.0.M1 to, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99) ships with an AJP Connector enabled by default that can be exploited by an attacker.


  • Red Hat Enterprise Linux
    • 5.x ELS
    • 6.x
    • 7.x
    • 8.x (as pki-servlet-container, pki-servlet-engine in pki-deps module)
  • Tomcat
    • 7.0.0 to 7.0.99 with AJP Connector enabled
    • 8.5.0 to 8.5.50 with AJP Connector enabled
    • 9.0.0.M1 to with AJP Connector enabled

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In